[cap-talk] Polaris: Virus Safe Computing for Windows XP

Karp, Alan H alan.karp at hp.com
Mon Dec 13 13:56:18 EST 2004 

Jed Donnelley wrote:
> >The synchronizer updates the file as soon as it detects a 
> change to the
> >copy.
> 
> Does that mean it's polling?  How does the synchronizer find out
> about such a change?
> 
I haven't looked at the code, but I know you can register for an event
to be sent when a file or directory changes.
 
> >           Indeed, most applications won't open a file for 
> write if it's
> >already open for write.
> 
> Notepad apparently does...  I haven't tested many others, but 
> that seems
> pretty significant to me.
> 
The important thing is that the behavior will be the same with Polaris
as it is without.
> 
> I agree the mechanism in useful to avoid having implicit
> sharing happening through the RunAs user.  However,
> touting this value as resulting from "properly distinguishing
> authority from permission" seems somewhat more than
> a bit much - to me.
> 
I agree.  I've now removed the offending phrase from the document.
 
> >Not specifically.  If I logged into a pet account and launced Excel
> >directly, there's be no RunAs involved.  As long as the 
> PowerBox running
> >as a system service recognized this process as running in a 
> pet, opening
> >a file would work the same as described in the paper.  
> (Well, at least
> >it should, but we don't have the PowerBox running as a 
> service today.)
> 
> By "the same" do you mean that the PowerBox will somehow (above)
> detect changes in the file and change the corresponding file
> belonging to another user outside the Pet?  If that's so I'll have to
> say that doesn't seem particularly desirable behavior to me.  I don't
> know why anybody would (or would be allowed to) login as this
> "pet" user, but if that happened it seems to me to confuse things.
> In that case you would have multiple applications sharing "ambient"
> access to some of these (admittedly indirect) resources - in
> likely violation of POLA.
> 
If I use Polaris to open the file, then there would be a synchronizer,
whether I did a RunAs or logon.  Also, there is a separate pet for each
application, or even several pets for the same application.  Logging in
to a pet account gives me the same privileges as launching an
application under Polaris, which uses RunAs.
> 
> In contrast the 2 level encapsulation scheme that I outlined
> runs each Windows application under a separate Windows
> emulator which is individually granted resource access strictly
> according to POLA.
> 
> Sorry if I'm not getting it, but it sounds to me like you might
> be getting a bit carried away with your mechanism and losing
> sight of what you're trying to accomplish - at least if I'm
> correctly understanding what you are trying to accomplish.
> 
I'd love to use your encapsulation scheme, and it's exactly what I'd use
on Linux.  I just don't know how to do it on Windows.  None of the
virtual OSes, ala Xen, works with Windows, and virtual machines are too
heavyweight to have one per process.
> 
> I've got that, but isn't it also important that if multiple 
> applications
> are running at the same time under Polaris (or when logged into
> the "pet" account) that they each get rights according to
> POLA?
> 
They are to the best of our ability and consistent with usability.  For
example, in the Alpha, all files opened by a particular pet are
accessible to all running instances of that pet.  That's a violation of
POLA, but creating an account on launch would make the system too slow.
However, each pet runs in a separate account, so a file opened in an
Excel pet is not accessible by an Word pet, or even by a different pet
configured to run Excel.
> 
> Ah.  Unfortunate.  Is it the lack of the restricted execution 
> environment
> that's the major problem or the lack of the Windows emulator or ???
> 
If we had an emulator with the right hooks, we could build the
restricted execution environment.  That might be a lot of effort, but at
least we'd have a shot at it.
> 
> You indicated that you are considering virtual machine monitors
> for a protected execution environment for Polaris.  Isn't 
> that over kill
> if all you need is the simpler sort of protected execution environment
> that I discussed?  Is it just the fact that some VM monitors are
> available and the simpler facility doesn't seem to be?  Using a
> VM monitor for something like Polaris would seem to me to really
> be opening up a can of worms.
> 
Yes, but it's there, and it runs Windows.  We now think we can avoid
using a VM by taking advantage of alternate desktops to close the GUI
hole.
> 
> >We originally planned to do something along these lines on
> >Linux.  Given the resources, we might still.
> 
> It would be of particular interest on Linux I think because you would
> not only get POLA for applications but you'd be getting it for Windows
> applications under Linux.  Of course you'd need and could probably
> leverage something like wine to pull it off.   Paradoxically on Linux
> it might be more difficult to provide a POLA execution environment
> for Linux applications ;-)
> 
I meant for Gnome or other Linus desktop environments.  We also have a
plan for future work that combines CapDesk and Polaris, but I don't know
when we can start working on it.
 
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 433 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20041213/25e43724/KarpAlanH-0001.vcf

More information about the cap-talk mailing list